LOGIN_RADIUS(8) OpenBSD System Manager's Manual LOGIN_RADIUS(8)
NAME
login_radius - contact radiusd for authentication
SYNOPSIS
login_radius [-s service] [-v name=value] user [class]
DESCRIPTION
The login_radius utility contacts the radiusd daemon to authenticate a
user. If no class is specified, the login class will be obtained from
the password database.
When executed as the name login_style, login_radius will request radiusd
use the authentication specified by style.
Available options are:
-s Specify the service. Currently only challenge, login, and
response are supported.
-v This option and its value are ignored.
The login_radius utility needs to know a shared secret for each radius
server it talks to. Shared secrets are stored in the file
/etc/raddb/servers with the format:
server shared_secret
It is expected that rather than requesting the radius style directly (in
which case the radiusd server uses a default style) that login_radius
will be linked to the various mechanisms desired. For instance, to have
all CRYPTOCard and ActivCard authentication take place on a remote server
via the radius protocol, remove the login_activ and login_crypto modules
and link login_radius to both of those names. Now when the user requests
one of those authentication styles, login_radius will automatically for-
ward the request to the remote radiusd and request it do the requested
style of authentication.
LOGIN.CONF VARIABLES
The login_radius utility uses the following radius-specific
/etc/login.conf variables:
radius-server Hostname of the radius server to contact.
radius-server-alt Alternate radius server to use when the primary
is not responding.
radius-challenge-styles Comma-separated list of authentication styles
that the radius server knows about. If the us-
er's authentication style is in this list the
challenge will be provided by the radius server.
If not, login_radius will prompt the user for
the password before sending the request (along
with the password) to the radius server.
radius-timeout Number of seconds to wait for a response from
the radius server. Defaults to 2 seconds.
radius-retries Number of times to attempt to contact the radius
server before giving up (or falling back to the
alternate server if there is one). Defaults to
6 tries.
FILES
/etc/login.conf login configuration database
/etc/raddb/servers list of radius servers and their associated shared
secrets
SEE ALSO
login(1), login.conf(5)
CAVEATS
OpenBSD does not ship with a radius server in the default install, howev-
er several are available via packages(7).
For login_radius to function, the /etc/raddb directory must be owned by
group ``_radius'' and have group-execute permissions. Likewise, the
/etc/raddb/servers file must be readable by group ``_radius''.
OpenBSD 3.4 August 23, 1996 2